Threat Coverage

Apr 20, 2018

Hacker’s Playbook Updated with US-CERT Alert TA-18-106A


The SafeBreach Hacker’s Playbook™ includes simulations for attacks described in US-CERT Alert (TA18-106A), attributed to Russian actors.

This alert covers tactics used by cyber actors which leverage a number of legacy or weak protocols and service ports associated with network administration activities. According to the research, the attackers use these techniques to identify vulnerable devices, map internal network architectures, harvest login credentials, masquerade as privileged users, and modify firmware and OS configuration to hijack, modify, or block traffic traversing routing infrastructure.

Thanks to the depth of the Hacker’s Playbook™, many of the attacks — spanning each phase of this campaign — are already available, so customers are immediately able to validate security against the techniques indicated by the US-CERT.

SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform contains many simulations, as highlighted below, to test endpoint and network security controls:

Existing playbook methods already validating security related to TA18-106A

Note: Many methods below are re-used across various phases of this campaign, but only listed once here for clarity.

Stage 1: Reconnaissance

Playbook #174, and 1308 – Telnet Bruteforce

  • Network Controls – Are security controls in place to prevent brute force credential attacks over Telnet?

Playbook #1324 and #1325 – SNMP community brute force

  • Network Controls – Are security controls in place to prevent brute force credential attacks over SNMP?

Stage 2: Weaponization and Stage 3: Delivery

Playbook #130 Exfiltration via TFTP

  • Network Controls – Are security controls in place to prevent sending of compromised data over TFTP?

Stage 4: Exploitation

Playbook #174 and #1308 – Telnet Bruteforce

  • Network Controls – Are security controls in place to prevent brute force credential attacks over Telnet?

Playbook #173 SSH and #1307 – SSH Bruteforce

  • Network Controls – Are security controls in place to prevent brute force credential attacks over SSH?

Stage 6: Command and Control

Playbook #103 and #104 – Exfiltration via FTP STOR

  • Network Controls – Are security controls in place to prevent data exfiltration over FTP?

As always, SafeBreach Labs will continue to monitor this alert, and develop new simulations as necessary.

The SafeBreach Hacker’s Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.

Get the latest
research and news